The 8 GDPR privacy rights and SuperOffice CRM

Written by Cathrine Mula Davis. Published by Miriam Eirin Hiorth Johnson, 3 Jul 2018. Updated 9 Sep 2021

The General Data Protection Regulation (GDPR) has finally come into force, triggering significant changes to the way businesses process and protect personal data of their customers.

Companies that work with EU citizens’ data by now should have been ready to meet the main GDPR requirements, or, at least, have a solid plan of how to become GDPR compliant.

Yet, there are still a lot of companies that struggle to get the hang of what the GDPR means, how it affects their business and how to make it all work. So, it’s not surprising that it will take a while before we all return to “business as usual”.

The long road to GDPR compliance

Since SuperOffice has always taken protection of individual data very seriously, we started our GDPR preparations quite early.

That’s why, for more than a year, we have been offering you a lot of information on how to understand and prepare for the arrival of the GDPR – articles, blogs posts, videos, whitepapers, check lists, webinars, etc.

As a company, we started getting ready for the GDPR two years ago already. All this time we researched and explored how the new EU regulation affected our business. Then, we began to upgrade our product and share our GDPR knowledge with our customers. And it seems like we did it quite well, as SuperOffice now offers a fully GDPR compliant product!

Yet, we also realized that it may be still difficult, and at times overwhelming, to comprehend the many different pieces of information that we’ve offered during all this time, as the GDPR is a serious change.

SuperOffice CRM and the 8 privacy rights

In order to help you see the “big picture” of how SuperOffice CRM can be used to support the new data protection and processing rules outlined in the GDPR, we’ve decided to offer you one more piece of practical information.

In this article, we want to explain how SuperOffice CRM can support the 8 GDPR privacy rights across the entire personal data lifecycle: from the first time you collect a contact’s data and register it in your CRM system, to the point when you no longer need to store it.

See how SuperOffice CRM supports the following privacy rights below:

  • The right to object
    • Whether it’s a lead, a new contact with an existing customer contract, a partner or a supplier – it all starts with the collection of personal data.

      Generally speaking, collecting personal data is still perfectly legal under the GDPR. However, the new EU law highlights that a company needs to have and document legitimate reasons for collecting and storing such data, depending on a business type, purpose and other circumstances, as specified in Article 5. A company is also required to inform a person within 30 days that it has stored personal information.

      The GDPR also makes it very clear that everyone has the right to object to their personal data being collected, stored and used. The new EU regulation outlines that an individual has the right to object to direct marketing and some European marketing laws even require you to obtain explicit consent in order to send any marketing message at all.

      That is why when “explicit consent” is used as the legal basis for data processing, you need to document where, when and how this consent was obtained (Article 7). This will be especially handy if a supervisory authority requests documentation from you.

      How can SuperOffice CRM help you address this right?

      GDPR article: 21, 21

      Definition: A data subject has the right to object to their personal data being processed, regardless of whether or not they gave explicit consent to their data being processed. EU data subjects also have a right to stop personal data from being included in direct marketing databases.

      SuperOffice functionality

      In order to be able to satisfy a person’s right to object to their data being processed by your company, you will, first of all, need to be able to properly document the type of consent and the legal basis for data processing. Only then, you will have enough information and tools to respond to your contact’s objection. Tracking customers’ consents means you know if and when someone has objected.

      To always be in control and have the necessary documentation in place if anyone enquires about their consent or legal basis for processing their personal data, you can use the Consent and Subscription management features in SuperOffice CRM.

      • Consent Management tools allow you to register what consents you have for each person in your database, when and how you got the consent and who registered it, as well as to log the legal basis.
      • Subscription Management tools allow you to keep track of the different types of communication someone has agreed to receive from you. These features ensure that you do not send e-marketing communications to people who have not given their permission for you to do so.


  • The right to be informed
    • Transparency is key in the new GDPR world. All companies and organizations should now be completely clear as to what data they store and how, and specify it in a plain and easy-to-understand language typically in their privacy policies.

      The GDPR is set to protect the individuals from having their personal data stored and used without their knowledge. This is important because if you don’t know whether and how your data is being used, it is impossible to object to it. So, the right to be informed ensures that people are able to exercise the right to object.

      Another facet of the right to be informed is related to data breach incidents. When the security of personal data is in danger, people have the right to be informed about this data leak within 72 hours after the leak has been discovered. But if the personal data breach is severe and the rights of people are at high risk, then data subjects should be notified about the breach without undue delay!

      Your company is responsible for ensuring that the personal data you store stays securely protected and private. In the unfortunate case of an information leak or a confidentiality breach, the GDPR strictly requests companies to report personal data incidents and take preventive actions promptly.

      In fact, all incidents that compromise data security need to be discovered, reported and handled by a data controller in one way or another. And, if somebody reports a security-threatening incident, it’s very important that this message doesn’t get lost in your inbox.

      How can SuperOffice CRM help you address this right?

      GDPR article: 12, 13, 14, 19

      Definition: A data subject has the right to know how his/her personal data will be collected, processed, stored, and for what purposes, before data is actually collected.

      SuperOffice functionality

      There is a set of functions in SuperOffice CRM that can help you inform your contacts that you store information on them in your CRM solution.

      • Automatic email: Each time you create a new contact, you can set up your SuperOffice CRM to send an automatic email informing the new person about you storing their data. Of course, you can decide on the content of this email and the source that triggers its dispatch. The email does not need to be automatic; however, by tasking the system to do this for you, means that you can be sure it is done every single time a new contact gets registered.
      • Selections and mailings: You can also create selections and use mailings to inform groups of individuals about your processing their data. You can also find scripting features in SuperOffice CRM 8.1 and above, meaning you can create customized automated flows of actions, based on your business needs.
      • SuperOffice Forms: In the upcoming version of SuperOffice CRM (8.4) you will be able to benefit from new features that will help you inform individuals upfront when you collect their personal data. You will be able to create special forms on your website or in your mailings that will not only provide links to your privacy statements, but will also automatically update the consents stored inside SuperOffice CRM. 

      To help you handle data breaches and other privacy threats, SuperOffice Service offers you tools that handle such incidents in an intelligent and GDPR-compliant way.

      • SuperOffice Service allows you to not only receive all requests, enquiries and other messages in one place, but also to categorize these incoming messages by the type of issue they relate to. This way you can prioritize and schedule handling of each type of incident more efficiently. In SuperOffice Service you can define the steps for handling every type of incident, so that urgent matters are taken care of without delay. Moreover, you can store all relevant documentation describing what happened, when and how a data leak or an incident has been handled.
      • Selections and mailings: If the nature of the incident requires you to notify the people affected by it, you can do so it quickly by running a Selection and then use setting up a mass mailing to send a notification.
  • The right to access personal data
    • The GDPR also ensures that all people have the right to access their personal information and know how this information has been obtained and is being used by a company.  

      Every company now needs to be able to provide a copy of the personal data they store on each contact, if and when somebody requests it. This, in turn, means that you need to have it well documented and have the means to deliver the information to the persons requesting it.

      How can SuperOffice CRM help you address this right?

      GDPR articles: 12, 15

      Definition: A data subject has the right to know how his/her personal information has been collected, processed and stored, what data exists, and for what purposes.

      SuperOffice functionality

      In order to help you satisfy this right, SuperOffice CRM offers you a number of features.

      • Consent Management: These features allow you to document the legal basis, the source of data, as well as when and how any consents were obtained, in line with the GDPR. Knowing this information allows you to quickly and easily provide a contact with the correct summary.
      • Personal data report: Available in the latest version of SuperOffice CRM (8.3), the report allows you to offer access to the personal data you have stored on a particular person. Easily created, this report provides an accurate summary relevant only to the person requesting it. To ensure maximum protection, you can decide who in your organization should have access to create and distribute such a report.
      • Shared inbox in SuperOffice Service: You can create dedicated mailboxes in SuperOffice Service, in which all privacy-related requests will be received and handled. This way you will avoid losing any important questions or requests, and be able to respond to such requests efficiently, offering full visibility of whether and how such requests were handled.


  • The right to correct information
    • Also known as the right to rectification, this GDPR right ensures that companies take measures to allow people to change and correct their information if it is outdated, inaccurate or incomplete. Companies that work with the EU citizens data, from now on, have to provide individuals with a possibility to review and, if necessary, correct the data, as well as to confirm the correction to the requestor.

      To correct something, a person, first, needs to know what information a company stores on them. After they’ve identified what needs to be corrected, they would also want to receive a confirmation that the information has been corrected.

      How can SuperOffice CRM help you address this right?

      GDPR articles: 12, 16

      Definition: A data subject has the right to have incorrect or incomplete data corrected.

      SuperOffice functionality

      In order to help you satisfy this right, SuperOffice CRM offers you a number of features.

      • Shared inbox in SuperOffice Service: In order to be able to provide information and obtain requests to correct data, you need a centralized, dedicated place to receive such requests and follow up on them. That’s why a shared inbox in SuperOffice Service can help, as correction requests will be stored as customer requests and you can monitor better whether or not they have been resolved. 
      • Editing fields in SuperOffice: It has always been possible for the users of SuperOffice CRM to edit the information on a contact directly in the system. However, you may want to impose some restrictions on who can edit or what they can edit. For example, if you use another system as the “master” database, you may not necessary want to give everyone the right to edit, but instead define the authorization steps that needs to be taken in order to delete information.
      • Personal data report: This new functionality available in the latest version of SuperOffice CRM allows you to easily send a confirmation to a contact that their information has been corrected.


  • The right to be forgotten
    • The GDPR not only states that a person can request that his/her data is deleted from a company’s database, but it also mandates companies to remove personal data form their systems when they no longer have any legal basis for keeping it (Article 5).

      So, even if someone does not ask to be deleted, you still cannot keep their personal data indefinitely without a legitimate reason to do so. It means you have to clean up your data regularly and make sure that all the information entries are stored in line with your company’s privacy policies.

      In order to be fully compliant in relation to this right, your company needs to ensure that the following functionality is in place: (a) you’re able to track all data related to a contact, (b) you’re able to delete information if requested; (c) you’re able to send confirmation that the data was deleted; (d) you’re able to automatically delete data after a necessary (determined) retention period is over.

      How can SuperOffice CRM help you address this right?

      GDPR articles: 12, 17

      Definition: A data subject has the right to have personal data permanently deleted.

      SuperOffice functionality

      In order to be able to easily satisfy this right, you need to have a procedure for receiving such requests from people who want to be forgotten.

      • Shared inbox in SuperOffice Service: You can create dedicated mailboxes in SuperOffice Service, where all such requests will be received and handled, and nothing is lost. Using a shared inbox to capture such privacy-related requests makes it possible for a company to make the necessary assessment, before they delete an individual contact. SuperOffice Service inbox can also help you respond to such requests efficiently, offering full visibility of whether and how such requests were handled.
      • Delete an individual contact: The newest version of SuperOffice CRM (8.3) allows you to view all contact-related information in a dedicated screen, making it easier to delete individual contacts. When a contact is deleted, all data is automatically anonymized in the activities stored elsewhere in SuperOffice. This way you do not lose other relevant data that affects your business. Make sure you assign the right to delete contacts exclusively to the people in your organization who should be dealing with such requests.
      • Bulk delete contacts from a selection: Available in SuperOffice CRM 8.3 or newer, this functionality allows you to delete a number of contacts at once. For example, you can identify a set of contacts or companies that you no longer want to store in your SuperOffice CRM and then mass delete them rather than having to do it one by one. A useful time-saver!
      • Correct deletion mistakes in the recycle bin: Deleting contacts is sometimes a tricky business. If a contact or a company has been deleted by mistake, you can undo it by using the “recycle bin”. Even though a deleted contact or a company are immediately hidden from all users, they are still available for a few days in the recycle bin from which you are able to restore a company or a contact that was mistakenly deleted. 
      • SuperOffice SAINT: Another way to easily find the contacts that you need to delete from your database is by using SuperOffice SAINT, which helps you to create SAINT selection and find exactly the customers that match your search criteria. SuperOffice will find these contacts and place them in a dynamic selection for you, so you can decide what action to take.
      • Automate the deletion of contacts: You can create a CRM script to delete contacts if they satisfy certain criteria that you have defined for when a contact should be removed from your database. The criteria may be a contact’s category coupled with lack of consents, activities over a given time and so on. Such automatic processes can ensure that there are no obsolete data in your database, which means less work for your CRM team.
  • The right to data portability
    • The GDPR outlines that individuals have the right to transfer their personal data to other service providers or reuse it for other purposes. The data subjects also have the right to have their data transferred directly from one data controller to another, without them having to handle the data.

      If your company receives such a request, you need to be able to provide a summary of the data you store in your database in a structured, commonly used and machine-readable format.

      Most of the time such requests are necessary when people switch their banks or insurance providers.

      How can SuperOffice CRM help you address this right?

      GDPR articles: 12, 20

      Definition: A data subject has the right to move, copy, or transfer personal data from one data controller to another, in a secure way, in a commonly used format.

      SuperOffice functionality

      This privacy right is only really relevant to the users of  SuperOffice CRM if the solution is integrated with another system that collects personal data without human intervention. If such data is added to SuperOffice CRM via an integration, then it is necessary to also be able to provide a data report to requesting individuals.

      There are no special features in SuperOffice CRM that address this particular GDPR right; however, you still have a few possibilities to offer a report on the data you have stored on an individual by:

      • Creating a Selection of the data that pertains to an individual who requested a portable report and later exporting all data fields to an Excel file.
  • The right to restrict processing
    • In line with the GDPR, individuals have the right to restrict or suppress processing of their personal data.

      Any person can make a restriction request verbally or in writing, and a data controller has one calendar month to respond to the request. A data file that contains information on a person who restricted processing may remain in a company’s system, but the company cannot use this information in any way.

      How can SuperOffice CRM help you address this right?

      GDPR articles: 12, 16, 21

      Definition: A data subject has the right to block or suppress their data being processed by public authorities or companies processing without explicit consent, as well as the right to stop personal data from being included in direct marketing databases.

      SuperOffice functionality

      There are no special features in SuperOffice CRM that address this right. In our view, the only thing that an individual is likely to restrict processing of is their inclusion in the email marketing distribution lists.

      However, there are still a few tools that can help you address this right in SuperOffice CRM, if needed:

      • Subscription Management allows you to easily restrict the dispatch of any mailings or sending any other unwanted communication to a certain contact.
      • SuperOffice SAINT can be used to set up visual alerts in the system each time a contact person requests to not be processed. For example, you can define a field, such as a tick-box or a list option, which, if activated (marked), triggers SAINT to alert a CRM user that this contact has asked to be put on “hold”. This also makes it easier to ensure that no contacts with such “restriction” criteria are included in mailing selections or other external communication activities.
  •  The right to not be subject to automated decision making
    • This right, also known as the right to manual processing, is set to protect people against the risk of being subject to a potentially damaging decision that is made without human intervention.

      Although it may sound complicated, let’s clarify what it means: the people on whom you store information have the right to choose to not to be the subject of a decision based on automated processing, especially when this decision may entail legal consequences related to them. This means that they can ask for manual (human) processing of their information, in order to avoid being subject to a potentially harmful automated decision-making.

      So, instead of algorithms making a decision on a person, those will have to be human beings!

      This right also defines profiling – an automated processing of personal data to evaluate certain things about an individual. Profiling can be part of an automated decision-making process too.

      How can SuperOffice CRM help you address this right?

      GDPR articles: 12, 22

      Definition: A data subject has the right to demand human intervention, rather than having important decisions made solely by an algorithm or other automated processing.

      SuperOffice functionality

      This right is more relevant to other systems than what a CRM solution typically is used for. Exercising this right is relevant to the systems that determine whether someone is eligible for a bank loan or insurance coverage, and similar. 

      Therefore, there are no specific features in SuperOffice CRM to support this right directly, other than the opportunity to capture requests for manual processing by setting up the shared inbox in SuperOffice Service.

SuperOffice as a GDPR-compliant CRM software

By all means, the above is only a summary of how you can use SuperOffice to support the GDPR requirements inside your company.

Please bear in mind that the information in this article should not be considered as legal advice, nor does it list all the ways that you can use SuperOffice to support your business processes.

SuperOffice CRM is by nature a flexible system, and there are many different ways to implement and use its features. How you are going to use them will entirely depend on your company’s business processes.

What we wanted to do in this article is give you some useful ideas on how SuperOffice CRM can help you handle your customers’ privacy and lawfully protect their data. We also wanted to demonstrate how the GDPR-related functionality works.

In fact, we asked DLA Piper – an international law firm that made GDPR as one of its areas of expertise – to review SuperOffice CRM and get their assessment of how it supports the new EU regulation.

We are very proud to say that they called SuperOffice CRM a GDPR-compliant software and concluded that that the companies that use SuperOffice CRM are well supported to meet the GDPR requirements. You can read their full report here.

What to do now

Your next steps depend on where you currently are on your journey to GDPR compliance.

You can always rely on a wealth of GDPR-related content that we published: articles, checklists, tips and videos.

In order to get access to the latest set of GDPR features your company may need to upgrade to the latest version of SuperOffice CRM. Just contact your SuperOffice representative to learn more about getting access to the latest features. 

Disclaimer: The content in this article is not to be considered legal advice and should be used for information purposes only.